Site-to-Site IPSEC VPN between Two Cisco ASA 5520

Cisco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and several other networking services on a single platform. Cisco ASA 5520, a member of the Cisco ASA 5500 Series, is shown in Figure 1 below.

Figure 1 Cisco Adaptive Security Appliance (ASA)

Here we will focus on site-to-site IPsec implementation between two Cisco ASA 5520 appliances, as shown in Figure 2. The outside interface of ASA1 is assigned a dynamic IP address by the service provider over DHCP, while the outside interface of ASA2 is configured with a static IP address. Basic IP address configuration and connectivity exists and we will build IPsec configuration on top of this. Although this tutorial was tested on ASA5520, the configuration commands are exactly the same for the other ASA models with no difference.

Figure 2 Cisco ASA-ASA IPsec Implementation

IP Security(IPsec)can use Internet Key Exchange (IKE) for key management and tunnel negotiation. IKE involves a combination of ISAKMP/Phase 1 and IPsec/Phase 2 attributes that are negotiated between peers. If any one of the attributes is misconfigured, the IPsec tunnel fails to establish. Therefore, it is mandatory to make sure that all these parameters are identical on the two appliances we are using as IPsec peers.

We will start with a pre-configuration checklist to make our life easier. This checklist would serve as a reference for configuration and troubleshooting.

Table 1 Configuration Checklist: ISAKMP/Phase-1 Attributes

Attribute

Value

Encryption

AES 128-bit

Hashing

SHA-1

Authentication method

Preshared keys

DH group

Group 2 1024-bit field

Lifetime

86,400 seconds

After discussing Phase 1 attributes, it is important to highlight Phase 2 attributes of the IPsec VPN connection that are used to encrypt and decrypt the actual data traffic.

Table 2 Configuration Checklist: IPsec/Phase-2 Attributes

Attribute

Value

Encryption

AES 128-bit

Hashing

SHA-1

Lifetime

28,800 seconds4,608,000 kB

Mode

Tunnel

PFS group

None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure the site-to-site IPsec tunnel between ASA1 and ASA2.

The above commands conclude the IPSEC VPN configuration. However, if we have NAT in our network (which is true most of the times), we still have some way to go. We must configure NAT exemption for VPN traffic. That is, traffic that will pass through the VPN tunnel (i.e traffic between the LAN networks 192.168.1.0/24 10.0.0.0/24) must be excluded from NAT operation.

At this point our IPsec configuration is complete. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to ASA1 to a host in subnet 10.0.0.0/24 connected to ASA2. An easy way to generate such traffic is the good old ping utility. If ping is successful between the two subnets, an IPsec tunnel is also likely to have established successfully. The same can be verified using command show crypto ipsec stats:

You can get your hands dirty with several other show crypto commands available to verify configuration and view statistics. For example, show crypto isakmp sa detail command can be used to verify ISAKMP/Phase 1 attributes, while show crypto ipsec sa command can be used to verify IPsec/Phase 2 attributes. We have shown here the output for show crypto isakmp sa detail command:

Router-switch.com is the World's Leading Cisco Supplier, founded in 2002. We provide network equipments that reduce the cost of network infrastructure, and is renowned for their customer service and huge supply of robust, cost-effective products. Read More>>